OK, rebuild bash and deploy Florian's unofficial patch now. If you're a distro maintainer, please consider doing the same.
My previous post has more information about the original vulnerability (CVE-2014-6271). It also explains Tavis' and my original negative sentiment toward the original upstream patch. In short, the revised code did not stop bash from parsing the code seen in potentially attacker-controlled, remotely-originating environmental variables. Instead, the fix simply seeks to harden the parsing to prevent RCE. It relies on two risky assumptions
more here.............http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
My previous post has more information about the original vulnerability (CVE-2014-6271). It also explains Tavis' and my original negative sentiment toward the original upstream patch. In short, the revised code did not stop bash from parsing the code seen in potentially attacker-controlled, remotely-originating environmental variables. Instead, the fix simply seeks to harden the parsing to prevent RCE. It relies on two risky assumptions
more here.............http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html